* [PATCH 10/14] HID: ntrig: validate feature report details
@ 2013-08-28 20:31 Jiri Kosina
2013-08-29 15:12 ` Rafi Rubin
0 siblings, 1 reply; 3+ messages in thread
From: Jiri Kosina @ 2013-08-28 20:31 UTC (permalink / raw)
To: linux-input; +Cc: Kees Cook, Rafi Rubin
From: Kees Cook <keescook@chromium.org>
A HID device could send a malicious feature report that would cause the
ntrig HID driver to trigger a NULL dereference during initialization:
[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
...
[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
[57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
CVE-2013-2896
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
---
drivers/hid/hid-ntrig.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
index ef95102..5482156 100644
--- a/drivers/hid/hid-ntrig.c
+++ b/drivers/hid/hid-ntrig.c
@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
report_id_hash[0x0d];
- if (!report)
+ if (!report || report->maxfield < 1 ||
+ report->field[0]->report_count < 1)
return -EINVAL;
hid_hw_request(hdev, report, HID_REQ_GET_REPORT);
--
Jiri Kosina
SUSE Labs
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 10/14] HID: ntrig: validate feature report details
2013-08-28 20:31 [PATCH 10/14] HID: ntrig: validate feature report details Jiri Kosina
@ 2013-08-29 15:12 ` Rafi Rubin
2013-09-04 10:00 ` Jiri Kosina
0 siblings, 1 reply; 3+ messages in thread
From: Rafi Rubin @ 2013-08-29 15:12 UTC (permalink / raw)
To: Jiri Kosina; +Cc: linux-input, Kees Cook
Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu>
Thanks Kees,
Rafi
On 08/28/13 16:31, Jiri Kosina wrote:
> From: Kees Cook <keescook@chromium.org>
>
> A HID device could send a malicious feature report that would cause the
> ntrig HID driver to trigger a NULL dereference during initialization:
>
> [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
> ...
> [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
> [57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
>
> CVE-2013-2896
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Cc: stable@kernel.org
> ---
> drivers/hid/hid-ntrig.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
> index ef95102..5482156 100644
> --- a/drivers/hid/hid-ntrig.c
> +++ b/drivers/hid/hid-ntrig.c
> @@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
> struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
> report_id_hash[0x0d];
>
> - if (!report)
> + if (!report || report->maxfield < 1 ||
> + report->field[0]->report_count < 1)
> return -EINVAL;
>
> hid_hw_request(hdev, report, HID_REQ_GET_REPORT);
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-09-04 10:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-08-28 20:31 [PATCH 10/14] HID: ntrig: validate feature report details Jiri Kosina
2013-08-29 15:12 ` Rafi Rubin
2013-09-04 10:00 ` Jiri Kosina
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).